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f TENT COOPERATION TREJ* V 



From the INTERNATIONAL BUREAU 



PCT 

NOTIFICATION OF ELECTION 

(PCT Rule 61.2) 


To: 

Assistant Commissioner for Patents 
United States Patent and Trademark 
umce 
Box PCT 

Washington, D.C.20231 
ETATS-UNIS D'AMERIQUE 

in its capacity as elected Office 


Date of mailing (day/month/year) 




International application No. 
PCT/GBOO/00370 


Applicant's or agent's file reference 
30990020 WO 


International filing date (day/month/year) 
08 February 2000 (08.02.00) 


Priority date (day/month/year) 

08 February 1999 (08.02.99) 


Applicant 

MAO, Wenbo 



1 . The designated Office is hereby notified of its election made: 

|"x] in the demand filed with the International Preliminary Examining Authority on: 

04 September 2000 (04.09.00) 



| | in a notice effecting later election filed with the International Bureau on: 



2. The election | X| was 

| | was not 

made before the expiration of 19 months from the priority date or, where Rule 32 applies, within the time limit under 
Rule 32.2(b). 





Authorized officer 


The International Bureau of WIPO 




34, chemin des Colombettes 


Pascal Piriou 


1211 Geneva 20, Switzerland 




Facsimile No.: (41-22) 740.14.35 


Telephone No.: (41-22) 338.83.38 


Form PCT/IB/331 (July 1992) 


GB0000370 



f 



PC 

REQUEST 



The undersigned requests that the present 

international application be processed 
according to the Patent Cooperation Treaty. 



International Application No. 



EL652176636US 
For receiving Office use only 



International Filing Date 



Name of receiving Office and "PCT InternaUo^j^prjticaticj^ 



Applicant's or agent's file reference 

(tf desired) (12 characters maximum) 30990020 WO 



Box No. I TITLE OF INVENTION 

Verification of the Private Components of a Public-Key 


Cryptographic System 


Box No. n APPLICANT 


Name and address: (Family name followed by given name; for a legal entity, full official 
designation. The address must include postal code and name of country. The country of the 
address indicated in this Box is the applicant s State (that is, country) of residence if no State 
of residence is indicated below.) 

Hewlett-Packard Company 
3000 Hanover Street 
Palo Alto 
CA 94304 
US 


| [ This person is also inventor. 


Telephone No. 


Facsimile No. 


Teleprinter No. 


State (that is, country) of nationality: 
US 


State (that is, country) of residence: 
US 


This person is applicant 1 1 all designated rcn all designated States except 1 1 the United States 1 Ithe States indicated in 

for the purposes of: 1 1 States l*» 1 the United States of America | | of America only | |the Supplemental Box 


Box No. ID FURTHER APPLICANTS) AND/OR (FURTHER) INVENTOR(S) 


Name and address: (Family name followed by given name; for a legal entity, foil official 
designation. The address must include postal code and name of country. The country of the 
address indicated in this Box is ike applicant s State (that is, country) of residence if no State 
of residence is indicated below.) 

MAO, Wenbo 
60 Wheatfield Drive 
Bradley Stoke 
Bristol BS32 9DD 
GB 


This person is: 

| | applicant only 

|y| applicant and inventor 

1 I inventor only (If this check-box 
*—* is marked, do not fill in below.) 


State (that is, country) of nationality: 
CN 


State (that is, country) of residence: 
GB 


This person is applicant 1 1 all designated 1 1 all designated States except fwl the United States 1 1 the States indicated in 
for the purposes of: 1 I States I I the United States of America ISJ of America only 1 1 the Supplemental Box 


| | Further applicants and/or (further) inventors are indicated on a continuation sheet. 


Box No. IV AGENT OR COMMON REPRESENTATIVE; OR ADDRESS FOR CORRESPONDENCE 


The person identified below is hereby/has been appointed to act on behalf Rfl t [— 1 common representative 
of the applicant(s) before the competent International Authorities as: IzzJ ^ 1 I r 


Name and address: (Family namefbl lowed by given name; for a legal entity, foil official 
designation. The address must include postal code and name of country.) 

LAWRENCE, Richard Anthony 
Hewlett-Packard Limited 
Intellectual Property Section 
Rlton Road 

Stoke Gifford, Bristol BS34 8QZ 
GB 


Telephone No. 

(0)117-312-8295 


Facsimile No. 

(0)117-312-8941 


Teleprinter No. 


1 | Address for correspondence: Mark this check-box where no agent or common representative is/has been appointed and the 
1 1 space above is used instead to indicate a special address to which correspondence should be sent. 



Form PCT/RO/101 (first sheet) (Jury 1998; reprint January 2000) 



See Notes to the request form 



Box No.V DESIGNATION^BSTATES 



Sheet No. 2. 



The following designations are hereby made under Rule 4.9(a) (mark the applicable check-boxes; at least one must be marked}: 
Regional Patent 

□ AP AR1PO Patent: GH Ghana, GM Gambia, KB Kenya, LS Lesotho, MW Malawi, SD Sudan, SL Sienna Leone, SZ Swaziland, 

TZ United Republic of Tanzania, UG Uganda, ZW Zimbabwe, and any other State which is a Contracting State of the Harare 
Protocol and of Ihe PCT 

□ EA Eurasian Patent: AM Armenia, AZ Azerbaijan, BY Belarus, KG Kyrgyzstan, KZ Kazakhstan, MD Republic of Moldova, 

RU Russian Federation, TJ Tajikistan, TM Turkmenistan, and any other State which is a Contracting State of the Eurasian Patent 
Convention and of the PCT 

EJ EP European Patent: AT Austria, BE Belgium, CH and LI Switzerland and Liechtenstein, CY Cyprus, DE Germany, 
DK Denmark, ES Spain, VI Finland, FR France, GB United Kingdom, GR Greece, IE Ireland, IT Italy, LU Luxembourg, 
MC Monaco, NL Netherlands, PT Portugal, SE Sweden, and any other State which is a Contracting State of the European Patent 
Convention and of the PCT 

□ OA OAPI Patent: BF Burkina Faso, BJ Benin, CF Central African Republic, CG Congo, CI Cote d'lvoire, CM Cameroon, 

GA Gabon, GN Guinea, GW Guinea-Bissau, ML Mali, MR Mauritania, NE Niger, SN Senegal, TD Chad, TG Togo, and any 
other State which is a member State of OAPI and a Contracting State of the PCT (tf other kind of protection or treatment desired, 
specify on dotted line) 

National Patent (if other kind of protection or treatment desired, specify on dotted line): 

O AE United Arab Emirates r— j m Liberia 

O AL Albania □ LS Lesotho 

□ AM Armenia Q LT Lithuania 

□ AT Austria □ LU Luxembourg 

ED AU Australia □ LV Latvia 

□ AZ Azerbaijan □ ma Morocco 

□ BA Bosnia and Herzegovina □ MD Republic of Moldova 

Q BB Barbados □ jviG Madagascar 

□ BG Bulgaria □ MK The former Yugoslav Republic of Macedonia . . . 

O BR Brazil 

□ BY Belarus □ MN Mongolia 

□ CA Canada □ MW Malawi 

D CH and LI Switzerland and Liechtenstein □ MX Mexico 

□ CN China □ NO Norway 

O CR Costa Rica □ NZ New Zealand 

□ CU Cuba □ PL Poland 

□ CZ Czech Republic □ PT Portugal 

□ DE Germany □ RO Romania 

□ DK Denmark □ RU Russian Federation 

D DM Dominica □ SD Sudan 

□ EE Estonia □ SE Sweden 

□ ES Spain □ SG Singapore 

□ FI Finland □ SI Slovenia 

□ GB United Kingdom □ SK Slovakia 

□ GD Grenada □ SL Sierra Leone 

□ GE Georgia □ T J Tajikistan 

□ GH Ghana □ TM Turkmenistan 

□ GM Gambia □ TR Turkey 

□ HR Croatia □ TT Trinidad and Tobago 

D HU Hungary D TZ United Republic of Tanzania 

D ID Indonesia □ UA Ukraine 

□ IL Israel □ UG Uganda 

□ IN India E US United States of America 

□ IS Iceland 

□ JP Japan □ UZ Uzbekistan 

□ KE Kenya □ VN Viet Nam 

□ KG Kyrgyzstan □ YU Yugoslavia 

□ KP Democratic People's Republic of Korea .... □ ZA South Africa 

□ ZW Zimbabwe 

□ KR Republic of Korea Check-boxes reserved for designating States which have 

□ wjr „ — r , , become party to the PCT after issuance of this sheet: 

KZ Kazakhstan 

□ LC Saint Lucia 

□ LK Sri Lanka d 

Precautionary Designation Statement: In addition to the designations made above, the applicant also makes under Rule 4.9(b) all other 
designations which would be permitted under the PCT except any designation(s) indicated in the Supplemental Box as being excluded 
from the scope of this statement. The applicant declares that those additional designations are subject to confirmation and that any 
designation which is not confirmed before the expiration of 1 5 months from the priority date is to be regarded as withdrawn by the applicant 
at the expiration of that time limit (Confirmation (inchidingjees) must reach the receiving Office within the 15-month time Omit.) 



Form PCT/RO/1 0 1 (second sheet) (January 2000) See Notes to the request form 



Sheet No. 



Box No. VI PRIORITY CLAr 



I 1 Further priority claims are indicated in the Supplemental Box. 



Filing date 
of earlier application 
(day/month/year) 


Number 
of earlier application 


Where earlier application is: 


national application: 
country 


regional application:* 
regional Office 


internationa] application: 
receiving Office 


(08/02/99) 
8 February 1999 


9902687.4 


GB 






item (2) 










item (3) 











The receiving Office is requested to prepare and transmit to the International Bureau a certified copy 
of the earlier application(s) (only if the earlier application was filed with the Office which for the 

purposes of the present international application is the receiving Office) identified above as item(s): 

* Where the earlier application is an ARJPO application, it is mandatory to indicate in the Supplemental Box at least one country party to the Paris 
Convention for the Protection of Industrial Property for which that earlier application was filed (Rule 4A0(b)(ii)f See Supplemental Box. 



Box No. VD INTERNATIONAL SEARCHING AUTHORITY 



Choice of International Searching Authority (ISA) 

(if two or more International Searching Authorities are 
competent to carry out the international search, indicate 
the Authority chosen; the two-letter code may be used) : 

ISA/ 



Request to use results of earlier search; reference to that search (fan earlier 
search has been carried out by or requested from the International Searching Authority): 



Date (dayfmonthfyear) 

24 August 1999 



Number 
9902687.4 



Country (or regional Office) 

GB 



Box No. Vin CHECK LIST; LANGUAGE OF FILING 



This international application contains 
the following number of sheets: 

request : 3 

description (excluding 
sequence listing part) : 29 

claims : 5 

abstract : 1 

drawings : 9 

sequence listing part 
of description 



Total number of sheets : 47 



This international application is accompanied by the item(s) marked below; 

1 . H fee calculation sheet 

2. Qt] separate signed power of attorney 

3. g] copy of general power of attorney; reference number, if any 

4. □ statement explaining lack of signature 

5. [7] priority documents) identified in Box No. VI as item(s): | 

6. □ translation of international application into (language): 

7. □ separate indications concerning deposited microorganism or other biological material 

8. □ nucleotide and/or amino acid sequence listing in computer readable form 

9. □ other (specify): Search Report 



Figure of the drawings which 
should accompany the abstract: 3 


Language of filing of the _ ... 
international application: tngllSn 


Box No. DC SIGNATURE OF APPLICANT OR AGENT 



Next to each signature, indicate the name of the person signing and the capacity in which the person signs (if such capacity is not obvious from reacSng the request). 




Richard Anthony Lawrence 



1. 


Date of actual receipt of the purported 
international application: 




2. Drawings: 
| | received: 


3. 


Corrected date of actual receipt due to later but 
timely received papers or drawings completing 
the purported international application: 






4. 


Date of timely receipt of the required 
corrections under PCT Article 1 1(2): 






| | not received: 


5. 


International Searching Authority tq a / 
(if two or more are competent): loA / 




6. 1 | Transmittal of search copy delayed 
l_l until search fee is paid. 





For International Bureau use only ■ 



Date of receipt of the record copy 
by the International Bureau: 



Form PCT/RO/101 (last sheet) (Jury 1998; reprint January 2000) 



See Notes to the request form 



652176636US 



The demand must be filed directly wWnhe competent international Preliminary Examining Authority or. if tiw or more Authorities are competent, 
with the one chosen by the applicant. The full name or two-letter code of that Authority may be indicated by the applicant on the line below: 



PCT 

DEMAND 

under Article 3 1 of the Patent Cooperation Treaty: 
The undersigned requests that the international application specified below be the subject of 
international preliminary examination according to the Patent Cooperation Treaty and 
hereby elects all eligible States (except where otherwise indicated). 



CHAPTER H 



Identification of IPEA 



For International Preliminary Examining Authority use only 
Date of receipt of DEMAND 



Box No. I IDENTIFICATION OF THE INTERNATIONAL APPLICATION 


Applicant's or agent's file reference 
30990020 WO 


International application No. International filing date (day/month/year) 
PCT/GB00/00370 8 February 2000 (08/02/00) 


(Earliest) Priority date (day/month/year) 
8 February 1999 (08/02/99) 


Title of invention 

Verification of the private components of a public-key cryptographic system 


Box No. D APPLICANT® 


Name and address: (Family name followed byghvn name; for a legal entity, full official designation. 
The address must include postal code and name of country) 

Hewlett-Packard Company 
3000 Hanover Street 
Palo Alto 
CA 94304 
US 


Telephone No.: 


Facsimile No.: 


Teleprinter No.: 



State (that is, country) of nationality: 
US 



State (that is, country) of residence: 
US 



Name and address: (Family name followed by given name; for a legal entity, full official designation. The address must include postal code and name of country.) 

MAO, Wenbo 
60 Wheatfield Drive 
Bradley Stoke 
Bristol BS32 9DD 
GB 



State (that Is, country) of nationality: 


State (that is, country) of residence: 


CN 


GB 



Name and address: (Family name followed by given name; for a legal entity, full official designation. The address must include postal code and name of country.) 



State (that is, country) of nationality: 



[ I Further applicants are indicated on a continuation sheet 
Form PCMPEA/40 1 (first sheet) (July 1 998; reprint July 1 999) 



State (that is, country) of residence: 



See Notes to the demand form 



Sheet No.?. 



International application No. 

PCT/GBOO/00370 



Box No. ID AGENT OR COMMON REPRESENTATIVE; OR ADDRESS FOR CORRESPONDENCE 



The following person is [gj agent Q common representative 

and | X | has been appointed earlier and represents the applicant(s) also for international preliminary examination. 

I | is hereby appointed and any earlier appointment of (an) agent(s)/common representative is hereby revoked. 

| | is hereby appointed, specifically for the procedure before the International Preliminary Examining Authority, in addition to 
the agent(sycomman representative appointed earlier. 



Name and address: (Family name followed by given name; for a legal entity, foil official designation. 
The address must induce postal code and name of country.) 

LAWRENCE, Richard Anthony 

Hewlett-Packard Limited 

Intellectual Property Section 

Filton Road 

Stoke Gifford 

Bristol BS34 8QZ 

GB 



Telephone No.: 
(0)117-312-8295 



Facsimile No.: 

(0)117-312-8941 



Teleprinter No.: 



□ Address for correspondence: Mark this check-box where no agent or common representative is/has been appointed and the 
space above is used instead to indicate a special address to which correspondence should be sent 



Box No. IV BASIS FOR INTERNATIONAL, PRELIMINARY EXAMINATION 



Statement concerning amendments:* 

1 . Hie applicant wishes the international preliminary examination to start on the basis of: 
1X1 the international application as originally filed 

the description I I as originally filed 

I I as amended under Article 34 

the claims | | as originally filed 

I | as amended under Article 1 9 (together with any accompanying statement) 
I | as amended under Article 34 

the drawings 1 1 as originally filed 

I 1 as amended under Article 34 

2. | | The applicant wishes any amendment to the claims under Article 1 9 to be considered as reversed. 

3 . | | The applicant wishes the start of the international preliminary examination to be postponed until the expiration of 20 months 

from the priority date unless the International Preliminary Examining Authority receives a copy of any amendments made 
under Article 1 9 or a notice from the applicant that he does not wish to make such amendments (Rule 69. 1 (d)). (This check- 
box may be marked only where the time limit under Article 19 has not yet expired.) 

* Where no check-box is marked, international preliminary examination will start on the basis of the international application 
as originally filed or, where a copy of amendments to the claims under Article 1 9 and/or amendments of the international application 
under Article 34 are received by the International Preliminary Examining Authority before it has begun to draw up a written opinion 
or the international preliminary examination report, as so amended. 



Language for the purposes of Internationa] preliminary examination: .EnflHsh 

\X which is the language in which the international application was filed. 

r~ which is the language of a translation furnished for the purposes of international search. 

[~ which is the language of publication of the international application. 

[~ which is the language of the translation (to be) furnished for the purposes of international preliminary examination. 



Box No. V ELECTION OF STATES 



The applicant hereby elects all eligible States (that is, all States which have been designated and which are bound by Chapter II of 
the PCI) 

excluding the following States which the applicant wishes not to elect: 



Form PCT/IPE A/401 (second sheet) (July 1998; reprint July 1999) 



See Notes to the demand form 



Sheet No. 



International application No. 

PCT/GB00/00370 



Box No. VI CHECKLIST 



The demand is accompanied by the following elements, in the language referred to in 
Box No. IV f for the purposes of international preliminary examination: 



1 . translation of international application 

2 . amendments under Article 34 

3. copy (or, where required, translation) of 
amendments under Article 1 9 

4. copy (or, where required, translation) of 
statement under Article 1 9 

5. letter 

6. other (specify) 



For International Preliminary 
Examining Authority use only 





received 


not received 


sheets 


□ 


□ 


sheets 


□ 


D 


sheets 


□ 


□ 


sheets 


□ 


□ 


sheets 


□ 


□ 


sheets 


□ 


□ 



The demand is also accompanied by the item(s) marked below: 

1. |X| fee calculation sheet 

2. | | separate signed power of attorney 

3. | | copy of general power of attorney; 
— reference number, if any: 



4. | [ statement explaining lack of signature 

5. I - 1 nucleotide and c 
— computer readat 

6. | [ other (specify): 



5. I I nucleotide and or amino acid sequence listing in 
— computer readable form 



Box No. Vn SIGNATURE OF APPLICANT, AGENT OR COMMON REPRESENTATIVE 



Next to each signature, indicate the name of the person signing and the capacity in which the person signs (if such capacity is not obvious from reading the demand). 




Richard Anthony Lawrence 



For International Preliminary Examining Authority use only < 



1. Date of actual receipt of DEMAND: 



2. Adjusted date of receipt of demand due 
to CORRECTIONS under Rule 60. 1(b): 



2 I — I The date of receipt of the demand is AFTER the expiration of 1 9 months 
I— I from the priority date and item 4 or 5, below, does not apply. 



□ The applicant has been 
informed accordingly. 



A | — I The date of receipt of the demand is WITHIN the period of 19 months from the priority date as extended by virtue of 
4 * I I Rule 80.5. 



5 | I Although the date of receipt of the demand is after the expiration of 19 months from the priority date, the delay in arrival 
I — I is EXCUSED pursuant to Rule 82. 



For International Bureau use only 



Demand received from IPEA on: 



Form PCT/IPEA/401 (last sheet) (July 1998; reprint July 1999) 



.See Notes to the demand form 



EL652176636US 

£hTENT COOPERATION TrAy 

PCT 



INTERNATIONAL PRELIMINARY EXAMINATION REPORT 

(PCT Article 36 and Rule 70) 



Applicant's or agents file reference 
30990020 WO 


See Notification of Transmittal of International 
FOR FURTHER ACTION Preliminary Examination Report (Form PCT/IPEA/416) 


International application No. 
PCT/GBOO/00370 


International filing date (day/month/year) 
08/02/2000 


Priority date (day/month/year) 
08/02/1999 


International Patent Classification (IPC) or national classification and IPC 
H04L9/32 


Applicant 

HEWLETT-PACKARD COMPANY et al. 



1 . This international preliminary examination report has been prepared by this International Preliminary Examining Authority 
and is transmitted to the applicant according to Article 36. 



2. This REPORT consists of a total of 5 sheets, including this cover sheet. 

S This report is also accompanied by ANNEXES, i.e. sheets of the description, claims and/or drawings which have 
been amended and are the basis for this report and/or sheets containing rectifications made before this Authority 
(see Rule 70.16 and Section 607 of the Administrative Instructions under the PCT). 

These annexes consist of a total of 1 sheets. 



3. This report contains indications relating to the following items: 



I 




Basis of the report 


II 


□ 


Priority 


III 


□ 


Non-establishment of opinion with regard to novelty, inventive step and industrial applicability 


IV 


□ 


Lack of unity of invention 


V 




Reasoned statement under Article 35(2) with regard to novelty, inventive step or industrial applicability; 
citations and explanations suporting such statement 


VI 


□ 


Certain documents cited 


VII 


□ 


Certain defects in the international application 


VIII 




Certain observations on the international application 



Date of submission of the demand 
04/09/2000 


Date of completion of this report 
14.03.2001 


Name and mailing address of the international 
preliminary examining authority: 

European Patent Office - P.B. 581 8 Patentlaan 2 

/fljl NL-2280 HV Rijswijk - Pays Bas 

Tel. +31 70 340 - 2040 Tx: 31 651 epo nl 
Fax: +31 70 340 - 3016 


Authorized officer ^ssr^ 

Zucka.G (( M }) 
Telephone No. +31 70 340 4026 ^<s»^ 



Form PCT/tPEA/409 (cover sheet) (January 1994) 



INTERNATIONAL PRELIMINARY 
EXAMINATION REPORT 



International application No. PCT/GB00/00370 



I. Basts of the report 

1 . This report has been drawn on the basis of (substitute sheets which have been furnished to the receiving Office in 
response to an invitation under Article 14 are referred to in this report as "originally filed 0 and are not annexed to 
the report since they do not contain amendments (Rules 70. 16 and 70.17).): 
Description, pages: 

1 -29 as originally filed 
Claims, No.: 

1 -6,7 (part) as originally filed 

7 (part),8-13 as received on 1 3/01/2001 with letter of 05/01/2001 

Drawings, sheets: 

1/9-9/9 as originally filed 



2. With regard to the language, all the elements marked above were available or furnished to this Authority in the 
language in which the international application was filed, unless otherwise indicated under this item. 

These elements were available or furnished to this Authority in the following language: , which is: 

□ the language of a translation furnished for the purposes of the international search (under Rule 23.1 (b)). 

□ the language of publication of the international application (under Rule 48.3(b)). 

□ the language of a translation furnished for the purposes of international preliminary examination (under Rule 
55.2 and/or 55.3). 

With regard to any nucleotide and/or amino acid sequence disclosed in the international application, the 
international preliminary examination was carried out on the basis of the sequence listing: 

□ contained in the international application in written form. 

□ filed together with the international application in computer readable form. 

□ furnished subsequently to this Authority in written form. 

□ furnished subsequently to this Authority in computer readable form. 

□ The statement that the subsequently furnished written sequence listing does not go beyond the disclosure in 
the international application as filed has been furnished. 

□ The statement that the information recorded in computer readable form is identical to the written sequence 
listing has been furnished. 

4. The amendments have resulted in the cancellation of: 



Form PCT/iPEA/409 (Boxes l-VIII, Sheet 1) (July 1998) 



INTERNATIONAL PRELIMINARY 
EXAMINATION REPORT 



International application No. PCT/G BOO/00370 



□ the description, pages: 

□ the claims, Nos.: 

□ the drawings, sheets: 

5. □ This report has been established as if (some of) the amendments had not been made, since they have been 

considered to go beyond the disclosure as filed (Rule 70.2(c)): 

(Any replacement sheet containing such amendments must be referred to under item 1 and annexed to this 
report.) 

6. Additional observations, if necessary: 



V. Reasoned statement under Article 35(2) with regard to novelty, inventive step or industrial applicability; 
citations and explanations supporting such statement 

1. Statement 

Novelty (N) Yes: Claims 1-13 

No: Claims 

Inventive step (IS) Yes: Claims 1-13 

No: Claims 

Industrial applicability (IA) Yes: Claims 1-13 

No: Claims 



2. Citations and explanations 
see separate sheet 



VIII. Certain observations on the international application 

The following observations on the clarity of the claims, description, and drawings or on the question whether the 
claims are fully supported by the description, are made: 
see separate sheet 



Form PCT/IPEA/409 (Boxes l-VM, Sheet 2) (July 1998) 



INTERNATIONAL PRELIMINARY International application No. PCT/G BOO/00370 

EXAMINATION REPORT - SEPARATE SHEET 



Ad V: 

1 . Reference is made to the following document: 

D1 : R. BERGER, S. KANNAN, R. PERALTA: 'A Framework for the Study of 
Cryptographic Protocols' ADVANCES IN CRYPTOLOGY - 
PROCEEDINGS OF CRYPTO 85, 18 - 22 August 1985, pages 87-103, 
XP0021 36911 cited in the application 

2. The document D1 (cited on page 2 of the description) discloses a method of 
exchanging public key verification data, which just like the method of the 
independent claim 1 , uses a zero-knowledge proof. 

3. The method of claim 1 distinguishes itself from the prior art, in that a Monte-Carlo 
test for primality is carried out in a specific way. 

The method has the advantage of proving the two-prime product structure of a 
number with a cost of 0(/dog 2 n) multiplications and an error probability of 1/2* (if 
k = 60, n > 2 512 , and 1/2* » 24/n 1/4 ), regardless of whether the number in question 
is a Blum integer or not. 

Such a way of proceeding is not disclosed or rendered obvious by any of the 
documents cited in the search report, and the subject-matter of claim 1 is 
therefore both new and inventive. 

4. The independent claims 4 and 7 relate to devices carrying out the method of claim 
1, and the independent claim 13 relates to a computer storage medium containing 
a corresponding program. The subject-matter of these claims is consequently new 
and inventive for the same reasons as indicated above. 

5. Claims 2-3, 5-6, and 8-12 are truly dependent claims, and their subject-matter is 
therefore also new and inventive. 

6. The subject-matter of claims 1-13 is industrially applicable. 



Form PCT/Separate Sheet/409 (Sheet 1) (EPO-ApriJ 1997) 



E^l 



INTERNATIONAL PRELIMINARY International application No. PCT/GBOO/00370 

EXAMINATION REPORT - SEPARATE SHEET 



Ad VIII: 

Some of the claims contain expressions between brackets which are not reference 
signs, but instead are intended to be part of the definition for the claimed subject- 
matter, e.g. the expression "(l(p).l(q))" in claim 1 . This renders the claims unclear 
(Article 6 PCT). 

The expressions would have been considered clear without the enclosing brackets. 



Form PCT/Separate Sheet/409 (Sheet 2) (EPO- April 1997) 



13-01-2001 £ ^ GB 000000370- 

e)ch«kfta.fe)=-l sod. if »,«lec. wo nndom ««»*»« and, such ttal 
' «.W«,-IV2). «v)=«(,->)/2)and^de»^^c«»I»^^*e 

^ ^ Jf„ = B^' " DOd " ) ff„ = -d 
values 1/-S*. K=g*. "» • 

H ur =h"K'tas>An- 

should be either 

(l)r«=uands = v;or 
*) (2) r = «+<p- 1*2, * = v+(*-l)/2 

0providefcet^^ 
8 Ame&wlasclan^mclaan7mwiichrf^2. 

9. Amethodascl^^ 

numbers uniformly dktribmed. ^ 

vi^ private circuit or pubUctele^^ 
computer entity as claimed in claim 7. 



34 



AMENDED SHEET 



# 



WORLD INTELLECTUAL PROPERTY ORGANIZATION 
International Bureau 




PCT 
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multiplications of integers of size of n where k is the number of the iterations in the proof and relates to an error probability bounded bv 
max(l/2* 24/n ,/4 ). J 
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Verification of the private components of a public-kev c ryptographic system 

Technical field 

This invention relates to apparatus and methods for verifying the private 
components of a public-key cryptographic system. 

Background to the invention 

Electronic commerce plays an increasingly important role in modern society and 
necessarily involves the transmission of electronic data between two parties. In a 
commercial environment, a first party may wish to transmit electronic data to a second 
party over an intervening communications network, in particular the internet, only when 
confident that there is adequate security against eavesdroppers that may be present on the 
network. The parties may be computer entities, for example. 

One way to achieve this is for the first party to encrypt the data in a manner that 
only the second party can decrypt after receipt. One class of such encryption techniques, 
and with which the present invention is concerned, is public-key cryptography based on 
the computational difficulty of factoring large integers. The first party encrypts a message 
by use of a public-key published by the second party the crypted message only being 
practicably decrypted by use of corresponding private components of the key held by the 
second party. These techniques include the well-known RSA cryptosystem, for example. 

In many cases, the first party will not wish to use the encryption system without 
being confident that the public-key to be used to encrypt the data conforms to an agreed set 
of criteria related to the security of the encryption to be obtained. One way to achieve this 
is to seek a certificate from a trusted certification authority that has verified to its own 
satisfaction that the public-key does so conform. An alternative way is for the first party to 
seek verification directly from the second party. Whatever the route to verification, the 
owner of the public-key generally prefers, and it is often a requirement of the encryption 
standard adopted, that the proof that the public-key is as it is claimed is achieved without 
revealing the private component to the verifier. That is, the proving party runs what is 
called a protocol with the verifying party that provides a 'knowledge proof of the validity 
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of the private components. For instance, the ISO standardization document 9798 part 3 
recommends that public-key certification include knowledge proof for possession of the 
private component that matches the pubic key to be certified. 

An example of such a set of criteria known to provide a highly secure public-key is 
that the public-key is an integer (n) which is the product of only two odd primes (p,q) and 
that the primes have lengths in bits which differ by no more than a predetermined value, d, 
commonly equal to 2. 

Given the computational intractability of factoring large integers, there exists no 
known algorithm that can be input a given number n and terminate in a polynomial time in 
the size of n with an output answering whether n is the product of exactly two odd primes. 
Nevertheless, there do exist practically efficient interactive protocols that run in 
polynomial time and allow a prover who knows the factorization of n to prove such a 
structure to the satisfaction of a verifier without disclosing the factorization information to 
the latter. 

An early idea for proving n in such a structure is based on an observation due to 
Adleman [see R. Berger, S. Kannan and R. Peralta. A framework for the study of 
cryptographic protocols, Advances in Cryptology - Proceedings of CRYPTO 85 (H.C. 
Williams ed.), Lecture Notes in Computer Science, Springer- Verlag 218 (1986), pp. 87- 
1 03]. He suggested using the fact that if n has exactly two different prime factors (which 
may include their powers) then exactly a quarter of the elements in the multiplicative group 
mod n are quadratic residues (square numbers of n). On the other hand, if n has more than 
two prime factors then at most one-eighth of them are quadratic residues. Thus a prover, 
knowing the factorization of «, can show a verifier the structure via binomial trials that for 
a set of it elements randomly chosen from the multiplicative group mod w, roughly k/4 of 
them are quadratic residues (shown by disclosing to the verifier their square roots). Using 
a normal distribution as an approximation to the probability of binomial trials (a standard 
method), Berger et al [R. Berger, S. Kannan and R. Peralta. A framework for the study of 
cryptographic protocols, Advances in Cryptology - Proceedings of CRYPTO 85 (H.C. 
Williams ed.), Lecture Notes in Computer Science, Springer- Verlag 218 (1986), pp. 87- 
103] established that if 2 ^ L k or more such elements are shown to be quadratic residues 
then the proof should be accepted with the probability of error between e** 1 * and e™. 
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Thus, k should be in thousands (k = 3000 was suggested in [R. Berger, S. Kannan and R. 
Peralta. A framework for the study of cryptographic protocols, Advances in Cryptology - 
Proceedings of CRYPTO 85 (H.C. Williams ed.), Lecture Notes in Computer Science, 
Springer-Verlag 218 (1986), pp. 87-103]) in order for the error probability to be negligibly 
small. (We note e* 000 " 4 < 1/2" < e' vxons and regard an amount at this level to be negligibly 
small). Since the cost for computing a square root mod n is measured by 0(log 2 «) 
multiplications of integers mod n, the total cost for proving the two-prime-product 
structure of a number n by showing quadratic residue information will be 0(*log 2 /i) 
(multiplications mod n) with an error probability between e* 74 and e"*" 5 . 

Van de Graaf and Peralta [J. van de Graaf and R. Peralta. A simple and secure way 
to show the validity of your public-key, Advances in Cryptology - Proceedings of 
CRYPTO 87 (E. Pomerance, ed.), Lecture Notes in Computer Science, Springer-Verlag 
293 (1988), pp. 128-134] observed that if n is a Blum integer, that is, n is the product of 
two distinct prime factors (again this may include their powers), both congruent to 3 mod 
4, then any element in the multiplicative group mod n with the positive Jacobi symbol has 
the property that either itself or its negation is a quadratic residue modulo n. Their protocol 
for proof of Blum integer is based on this fact. A number of other previous protocols for 
proving two-prime-product structure also use this idea (e.g., [J. Camenisch and M. 
Michels. Proving in zero-knowledge that a number is the product of two safe primes, In 
Advances in Cryptology - EUROCRYPT 99, Lecture Notes in Computer Science, 
Springer-Verlag 1592 (1999), pp. 106-121, R. Gennaro, D. Miccianicio and T. Rabin.. An 
efficient non-interactive statistical zero-knowledge proof system for quasi-safe prime 
products, In 5 th ACM Conference on Computer and Communications Security, October 
1998, M. Liskov and R.D. Silverman. A statistical limited-knowledge proof for secure 
RSA keys, IEEE PI 363 Research Contributions, Available at 

http : / /grouper . ieee . org/groups/1363/contributions/if keyval .ps 
]). Note that provided n is not a square number (which is easy to test against), exactly half 
of the elements in the multiplicative group mod n can have a positive Jacobi symbol which 
is also easy to evaluate. Thus, given such n, the above demonstration actually shows that a 
quarter of elements in the group are quadratic residues (since a quadratic residue must have 
positive Legendre symbol mod all prime factors, and only half of elements mod a prime 
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have positive Jacobi symbol). If n is not in a two-prime-product structure then it is 
certainly not a Blum integer. Omitting details, for any group element of positive Jacobi 
symbol mod such n (which is non-Blum and non-square), a prover will have at most a 50% 
chance of correctly demonstrating the above. Clearly, such a proof using k random 
challenges will result in an error probability bounded by 1/2* , which approaches zero much 
faster than e^ 4 . (See the comparison between them in the previous paragraph). 

The simplest way to show quadratic residue evidence to display a square root of a 
quadratic residue. In the protocol of Van de Graaf and Peralta for proving Blum integer, 
the verifier should check that the Jacobi symbol of a square root of a random challenge 
comply with a pre-agreed random sign. This follows Blum's observation that if n is a 
Blum integer, then any quadratic residue has square roots of positive and negative Jacobi 
symbols [M. Blum. Coin flipping by telephone: a protocol for solving impossible 
problems, Proceedings of 24 th IEEE Computer Conference (CompConC 1982, pp. 133- 
137.]. In the protocol of Gennaro et al [R. Gennaro, D. Miccianicio and T. Rabin. An 
efficient non-interactive statistical zero-knowledge proof system for quasi-safe prime 
products, In 5 th ACM Conference on Computer and Communications Security, October 
1998.], a verifier should require that for each challenge g sent as challenge, a square root of 
either ± g or ± 2g mod n will be replied. It is possible for a prover to correctly respond to 
such challenges if one of the prime factors of n is congruent to 5 mod 8, and the other to 7 
mod 8. These form an additional constraint to n being a Blum integer. 

Note that two different square roots of a quadratic residue mod n can lead to 
factoring n with a non-trivial probability. So it will be dangerous for a prover to disclose a 
square root of a challenge which is solely selected by the verifier. The two protocols in R. 
Gennaro, D. Miccianicio and T. Rabin. An efficient non-interactive statistical zero- 
knowledge proof system for quasi-safe prime products, In 5 th ACM Conference on 
Computer and Communications Security, October 1998 J. van de Graaf and R. Peralta. A 
simple and secure way to show the validity of your public-key, Advances in Cryptology - 
Proceedings of CRYPTO 87 (E. Pomerance, ed.), Lecture Notes in Computer Science, 
Springer-Verlag 293 (1988), pp. 128-134 assume the existence of mutually trusted random 
source which is accessible be the prover and verifier. The applicant believes that it will be 
costly to implement a mutually trusted random source between two mutually un trusted 
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parties. The cost can be estimated by a protocol that allows the two parties to generate 
mutually trusted random elements without using a trusted third party. Blum's idea of coin 
flipping [M. Blum. Coin flipping by telephone: a protocol for solving impossible 
problems, Proceedings of 24 th IEEE Computer Conference (CompCon), 1982, pp. 133- 
137.] is such a protocol and is used by R. Berger, S. Kannan and R. Peralta. [A framework 
for the study of cryptographic protocols, Advances in Cryptology - Proceedings of 
CRYPTO 85 (H.C. Williams ed.), Lecture Notes in Computer Science, Springer- Verlag 
218 (1986), pp. 87-103, Z. Galil, S. Haber and M. Yung. A private interactive test of a 
boolean predicate and minimum-knowledge public-key cryptosystems, 26 th FOCS, 1985, 
pp. 360-371]. Each instantiation of that protocol generates a truly random bit. Each 
random challenge of size of n generated this way takes log 2 /i iterations and the same 
number of multi-precision operations of integers mod n (evaluation of log 2 n Jacobi 
symbols). Together k \og 2 n iterations are needed for merely agreeing on k mutually trusted 
random challenges. 

Above we have analyzed the cost for the previous protocols to prove an integer in 
the two-prime-power structure, i.e., n = p r s* where p, q are distinct primes and r, s, integers. 
To further prove r = s = 1 one can use the protocol of Boyar et al [J. Boyar, K. Friedl and 
C. Lund. Practical zero-knowledge proofs: Giving hints and using deficiencies, Advances 
in Cryptology - Proceedings of EUROCRYPT 89 (J.-j. Quisquater and J. Vandewalle, 
eds.), Lecture Notes in Computer Science, Springer- Verlag 434 (1990), pp. 155-172.] for 
proving square-free integers. Furthermore, to show that p and q are roughly equal size one 
can use Damgard's method of "checking commitment" protocol [LB. Damgard. Practical 
and provably secure release of a secret and exchange of signatures, Advances in 
Cryptology: Proceedings of EUROCRYPT 93 (T. Helleseth, ed.), Lecture Notes in 
Computer Science, Springer- Verlag, 765 (1994), pp. 201-217.]. However, the costs of 
applying these two additional protocols will be ignored because they are less expensive 
than that for proving the two-prime-power structure, in particular for the case of non-Blum 
integers. 

Solovay and Strassen disclosed, in an article titled "A Fast Monte-Carlo Test for 
Primality" SIAM J. COMPUTING Vol 6, No 1, March 1977, an efficient Monte-Carlo test 
for determining the probability that a given odd integer n is prime. The probability that n is 
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composite is < 1/2" if a * = V7A m0 ^ x ) for all of k random values of a<x y 

where (7) is the Jacobi symbol of a mod x. 

This "Solovay-Strassen" test can provide an efficient means for determining 
the probability that each of p and q are primes, where n=pq, by submitting/? and q to the 
test in turn. However, this requires p and q to be disclosed to the person verifying that n is 
product of two, only, primes. 

To better understand the operation of the methods disclosed herein, the following 
terminology is used. 

Let P be a positive integer. Z/ denotes the multiplicative group of elements mod P. 
For a e Z P \ Ordp(a) denote the order of a mod P. 

Let a and b be integers, a \b denotes a dividing b; (0, b) denotes the greatest 

common divisor of a and b; (f ) denotes the Jacobi symbol of a mod b; £(a) denotes the 
size of a, which is the number of the bits in the binary representation of a. 

Let x be a real number, [xj denotes the integer part of x (thus £(a) = [log 2(a) J + 

1); |jc| denotes the absolute value of x. 

Let S be a set. #S denotes the cardinality of S. 

Finally, Pr[E] denotes the probability for event E to occur. 

The present applicant has determined that a Monte-Carlo test of the primality of a 
both of positive integers p and q, where n = p.q can comprise the following steps: 

a) find a prime number P such that n\(P - 1 ); 

b) select any positive integer / such that A*£,A*\ 9 B*l where 

A = g'modP, 
B = g*modP, and 
g=r-^modP; 

then repeatedly: 

c) choose a random h eZ n * and (7)= -1 ; 

d) choose random positive integers w, v; 
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e) calculate, modP; 

H v = B ( A " mod ") 

(h v mod n ) 



Hy 



r = u + (p - 7)/2; 
5-v + (?-l)/2; 



f) determine whether, mod/ 3 , 

gfamod n) ±1 



U ;and 



It can be seen that the results of a Solovay-Strassen primality test are obtained on 
both/? and q by steps 0 of this method. Furthermore, the applicant has determined that the 
difficulty of finding p and q from knowledge of n, A and B of this test is at least as 
difficult as solving the decision problem on the membership of the Diffe-Hellman 
quadruples generated by g. (This is assumes that factorization of n and computing discrete 
logarithms to the base g are infeasible). Thus, if a verifier could be convinced that a prover 
has provided values for step f) which are properly related to p, q and the value of h 
(supplied by the verifier), the verifier would equally be confident of the Solovay-Strassen 
primality test using those values provide. 

The present invention is as claimed in the claims. 



Summary of the invention 

The present invention, in a first aspect, provides a method of exchanging digital 
public-key verification data whereby a first party enables a second party to obtain 
probabilistic evidence that a given public-key number n is the product of exactly two odd 
primes p and q, not known to the second party, whose bit lengths ( £(p), £(q) ) differ by not 
more than d bits. The method including the following steps, all operations being to mod P 
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unless specified mod the method being halted should any check fail. Initial parameters 
are established by: 

a) said first party provides to said second party a number P such that P is a prime 
number and n\(P - 1); 

b) said second party provides to said first party a number g where 
g = mod P, f<P\ 

c) said first party provides to said second party numbers A and B 9 where 
A = g p rnodP and B = g q modP . 



Thereafter: 

d) said second party checks that A * B, A * 1 and B * 1 ; whereupon the following 
steps are repeated up to k times; 

e) said second party selects a random number h e Z* such that (£)= -1 and 

provides the number h to the first party; 

f) said first party checks that (*) = -1 and selects two random numbers u 
and v such that £{u) = £{{p - 1) / 2), t(v) = £((q - 1) / 2) and provides to 

g{h u modn) 

said second party the values U = g 2u ,V = g 2v , U > 

g) H r = >" m ° d "Ud = h"h" mod« . 

g) said second party sends a request to the first party that the first party provides to 
the second party values r and s, which the second party randomly specifies should be 
either: 

(1) r =u and s = v; or 

(2) r = u +(p - l)/2, s = v+(q - l)/2 

h) said first party provides the requested values r and s to the second party, 

i) if the second party requested r =u and s = v, the second party determines 
whether: 

(1) £(r)<l£(n)/2j+d, £(s)zlt{n)/2]+d , 

(2) g 2r+l =Ug, g 2s + l =Vg 9 
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(3) 



(4) 




V , and 



thereby verifying the values provided by the first party to the second party are as were 
required by steps a) to f); or, if the second party requested r = u+(p- l)/2, s = v+(q - 
l)/2, 

the second party determines whether: 

(1) e(r)<l£(n)/2]+d, £(s) < [e{n)l2\ + d , 



thereby obtaining said probabilistic evidence on whether the given public-key number n is 
the product of exactly two odd primes p and q whose bit lengths (£{p), £{q) ) differ by not 
more than d bits. 

The cost of a proof amounts to 12*log 2 « multiplications of integers of size of n 
where k is the number of the iterations in the proof and relates to an error probability 
bounded by max(l/2\ 24//i" 4 )- To achieve cost and error similar to these, previous 
techniques require two additional conditions: (1) n is a Blum integer, and (2) a mutually 
trusted fclog 2 /i-bit long random source is accessible by the proving/verification participants. 
In failure of (1), k must be increased substantially in order to keep error probability 
comparably small (e.g., k should be increased to 3000 for an error probability to remain at 
the level of V2 60 ). 

The present invention, in further aspects, encompasses computing entities and a 
communications system, a system of co-operating computing entities all for carrying out 
this protocol and a computer storage medium on which is stored instructions to enable 
general purpose computers to carry out the protocol. 



(2)g 2 ^=UA, g 2s + l = VB, 
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Brief description of th e drawings 

For a better understanding of the invention and to show how the same may be 
carried into effect, there will now be described, by way of example only, specific 
embodiments, methods and processes according to the present invention with reference to 
the accompanying drawings in which: 

Fig 1 illustrates schematically transmission of encrypted data from a first to second 

computing entity; 

Figure 2 illustrates schematically physical and logical resources of the computing 
entities illustrated in Fig 1; 

Figure 3 illustrates schematically data communications between the computing 
entities of Figures i and 2; 

Figures 4A to 4C illustrates schematically process steps carried out by the one of 
the computing entities of Figures 1 and 2; and 

Figures 5A to 5C illustrates schematically process steps carried out by the other of 
the computing entities of Figures 1 and 2. 

Detailed description of the best mode for carrying out the invention 

There will now be described by way of example the best mode contemplated by the 
applicant for carrying out the invention. In the following description numerous specific 
details are set forth in order to provide a thorough understanding of the present invention. 
It will be apparent however, to one skilled in the art, that the present invention may be 
practiced without limitation to these specific details. In other instances, well-known 
methods and structures have not been described in detail so as not to unnecessarily obscure 
the present invention. 

There will now be described with reference to Figs 1 to 4 herein a method and 
apparatus by which private components p,q of a public-key n may be verified according to 
a first specific implementation of the present invention. 
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Referring to Fig 1, there is illustrated schematically a pair of computing entities 
102,104 configured for communicating electronic data with each other over a 
communications network, in this case the internet 106, by communicating data 108,1 10 to 
each other via the internet 106 in well known manner. Illustrated in Fig 1 is first 
computing entity 102, herein after referred to as entity A and a second computing entity 
104 herein referred to as entity B. In the example illustrated in Fig 1 , the first and second 
computing entities 102,104 are geographically remote from each other and whilst in the 
best mode herein, the communications network comprises the know internet 106, in other 
embodiments and implementations of the present invention the communications network 
could comprise any suitable means of transmitting digitized data between the computing 
entities. For example, a known Ethernet network, local area network, wide area network, 
virtual private circuit or public telecommunications network may form the basis of a 
communications medium between the computing entities 102,104. 

The computing entities 102 and 104 have been programmed by storing on memory 
205,207 programs read from computer program storage media 1 12,1 14, for example, a CD- 
ROM. 

Referring now to Fig 2, there is illustrated schematically physical resources and 
logical resources of the computing entities A and B. Each computing entity comprises at 
least one data processing means 200,202, a memory area 203,205, a communications port 
206,208, for communicating with other computing entities. There is an operating system 
209,2 1 1, for example a known Unix operating system. One or more applications programs 
212, 214 are configured for operating for receiving, transmitting and performing data 
processing on electronic data received from other computing entities, and transmitted to 
other computer entities in accordance with specific methods of the present invention. 
Optionally there is a user interface 215,217 which may comprise a visual display device, a 
pointing device, e.g. a mouse or track-ball device, a keypad, and a printer. 

Under control of the respective application program 212,214, each of the computing 
entities 300, 301 is configured to operate according to a first specific method of the present 
invention. 

Referring to Fig 3 herein, there is illustrated schematically data communications 
passed between the first and second computing entities to effect verification by B of A's 
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private components of a public-key according to the first specific implementation of the 
present invention. 

Applications programs 212,214 operate a set of algorithms that effect 
implementation of the verification protocol. The precise implementation of the algorithms 
is preferably made n a conventional prior art programming language, for example the 
language C, or C++ using conventional programming techniques which are known to those 
skilled in the art. For a better understanding of the implementation of the algorithms, the 
following presents a model, notation and explanation of the verification protocol. It will be 
understood by those skilled in the art that the algorithmic steps are used to control the 
logical and physical resources of the computing entities by being programmed into the 
applications in a conventional programming language. 

Referring now to Figures 3, 4 and 5, there will now be described the operation of 
two computing entities commonly referred to Alice and Bob which will be adopted here. 
The computing entity 102 and computing entity 104 by following the steps of Figures 4 
and 5, respectively, exchanging signals representative of various data values as shown in 
Figure 

First, the computing entities agree on a set of parameters as follows, where Alice 
102 is the prover and Bob 104 is the verifier. Alice has constructed n =pq such that/? and 
q are distinct odd primes with | £(p) - £(g) \ < d (i.e., the lengths of the two primes differ 
by at most d bits). The length of n is generally at least 5 12 to meet common security 
standards, d is preferably no greater than 2 but can be larger. The disadvantage of a larger 
d is that as d increases it will reach a threshold where the probability of p and q are primes 
when the test of the present invention is passed becomes dependent on n not k. 

A proof will be abandoned on Alice's instigation if any check she (i.e., the 
computing entity A) performs fails and will be rejected by Bob if any check he (ie the 
computing entity B) performs fails. 

First, Alice shall help Bob to set up a multiplicative group of order n. For her part, 
Alice only needs to generate a prime P with n\(P - 1). This prime can be constructed by 
testing the primality of P = 2a n + 1 for a = 1,2,..., until P is found to be prime. By the 
prime number theorem (general form due to Dirichlet, see e.g., p.28 of [E. Kranakis. 



12 



WO 00/48359 



PCT/GBOO/00370 



Primality and Cryptography, Wiley-Teubner Series in Computer Science, John Wiley & 
Sons, 1986]), for fixed n with P = 2a n + 1 < N , there are roughly 

m W = ln(2^+l) 
Such P's which are under N and are primes. Note that N <2an + \ and n > 0(2n). So 

1 M 
Xn(N) « ^ (2 „) • In N 

Since Alice's primality test procedure uses a = 1,2,..., the above inequality indicates a 
non-trivial probability for two primes to show up upon a reaching ln(2« In n). So one can 
be sure that a is small (likely to be bounded by ln(2« In «)). It will be computationally 
easy for Alice to find the prime P (step 402). Once P is found to be prime, Alice sends the 
numbers n and P to Bob (step 404, data 302). 

Upon receipt of n and P (step 501), Bob tests the primality of P (step 502). If P is 
not a prime the proof is rejected (step 504). Upon passing of the test, Bob chooses a 
random element f<P (step 506), and sets 

g = f A >' n mod P (step 508) 
Bob then sends g to Alice (steps 510, data 304). 

Upon receipt of g (step 406), Alice shall check Ord^) = n (step 408). If this does 
not hold, Alice may not be able to pass a proof later and so abandons the proof (step 410). 

Above we have reasoned that 2a =(P- \)ln is small (« n). Thus, for n =pq, 
there can only be a few factors of P - 1 which are less than n and are fully known to Alice. 
So it will be computationally easy for Alice to check Ord^g) = n. Upon passing this 
simple checking, Alice shall set 

A=g° mod P, B = g* mod P (step 412). 
Alice then sends the pair (A, B) to Bob (step 414, data 306) 

Upon receipt of {A, B)(step 512), Bob shall check the following: 

A * B t A *\ t B * \ (step 514). 
If these checks are passed, the system parameters have been properly set up and moves on 
to step 520. If not, Bob rejects the proof (step 518). 
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For clarity, we shall omit the trailing mod P operation in the following protocol 
specification which, for reference will be called Two_Prime_Product (n t g,A,B, P) 
The following steps are repeated k times 



(steps 522, data 308). 
2. Alice receives h (step 420) and checks (*•) = -1 (step 422) and abandons the 
proof (step 424) if the check fails. If the check passes Alice, picks u, v at 
random (step 426) such that 



H v = ^ ( * Vmod " ) ,i? w = h u h v mod n (step426) . 



Alice sends to Bob: U,V,H u9 H v ,H uv (steps 428, data 310). 

3. Bob receives these values from A (step 524) and picks a challenge c e {0,1} at 
random (step 526) and sends it to Alice (steps 528, data 312). 

4. Alice receives the challenge (step 430) and sends Bob the responses 

r = u + C (p _ i)/2, s = v + c(q - l)/2 (step 432, data 314). 

5. Bob receives r and s from A (step 530) checks all of the following (c = 0); 
5.1 *(r)£|*(»)/2j+2, t{s)z\t{n)ll\+2 



Bob picks h g Z/ at random with (7) = -1 (step 520) and sends it to Alice 



'(") = '(0>-l)/2) 
*(v) = *((*-l)/2) 



and sets 
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5.3 



g(h r modn) ^ jj A {h s modn 



54 h r h s = H uv (modn) 

6. Bob checks: (c= 1) 

6.1 £(r)<lm/2j+2, e(s)*lHn)/2}+2 

6.2 g 2r+i =UA, g 2s *=VB 

^ ^(A r mod «) ^ H v ±l , A ^ m ° d = H 

( H v and # K means the exponents take opposite 
signs) 

6 .4 /j r /i s = Huyh 1 "-"' ' 2 (mod «) 

at steps 534 or 536, for c = 0, c = I, respectively. 

If c = 0 and any of the checks of step 534 fails then Bob rejects the proof (step 536). 
Similarly, if c = 1 and if the checks of step 538 fail, then Bob rejects the proof (step 536). 

If the checks at step 534 all pass, Bob decides if a primality check for a further 
value of n is required (step 540). If "Yes" Bob chooses another A(step 520) and another 
iteration is carried out; if "No" the protocol is ended (step 542). 

If the checks at step 538 all pass, Bob checks for Monte-Carlo evidence at step 542 
and then determines if another iteration is to be carried out (step 540). 
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Alice then determines if Bob wishes to go through a further iteration (step 434). If 
"Yes" it returns to step 420, if "No" the protocol ends. 

We shall see below that the two congruences checked in step 6.3 actually evaluate the 
Jacobi (Legendre) symbols (±) and (|). Using challenges of the negative Jacobi symbol 
has the virture of not disclosing the quadratic residue information of the challenges. In 
contrast, many square-root displaying protocols (e.g., [R. Gennaro, D. Miccianicio and T. 
Rabin. An efficient non-interactive statistical zero-knowledge proof system for quasi-safe 
prime products, In 5gh ACM Conference on Computer and Communications Security, 
October 1998, J. van de Graaf and R. Peralta. A simple and secure way to show the 
validity of your public-key, Advances in Cryptology - Proceedings of CRYPTO 87 (E. 
Pomerance, ed.), Lecture Notes in Computer Science, Springer- Verlag, 293 (1988),pp. 
128-134]) disclose such information. 

The protocol allows for the two factors to have size differences satisfying 

_ ^)| < d . Larger size differences, if desirable, can be accommodated by adjusting 

the inequalities in steps 5.1 and 6.1. 
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We analyze the security the protocol, which consists of the properties of completeness, 
soundness, and privacy. 

Completeness 

Theorem 1 If Alice follows the specification of Two -Prime-Product, a proof will be 
accepted. 

Proof We show that Bob will be satisfied by the checks performed in protocol step 
5.1 through step 5.4. 

First, we show the inequalities in 5.1. Alice has set p and q such that pq = n 

-2<£(p)-£{q) <2. (1) 

Obviously 

£(n) < £{p) + £(q) < £(n) + 1. (2) 

Adding (1) to (2) yields 

2£(p) < £(n) + 3, 

or 

£(p) < [£(n)\/2 + 2. (3) 

Alice has chosen £(u) = £{{p - l)/2). With p odd, {p - l)/2 is a whole number and 
£({p - l)/2) = £{p) - 1. So when c = 0 

£(r)=£{u)=£{(p-l)/2)=e(p)-h 

and When c = 1 

t{r) = t{u + (p - l)/2) < £((p - l)/2) + 1 = £(p). 
So for both cases, (3) will imply 

i(r)<[£{n)\/2 + 2. 

Analogously we can show 

t{s)< l/(n)J/2 + 2. 

In the following, we shall only examine the cases under c = 1, since c = 0 will 
render the congruences in 5.2 through 5.4 to hold trivially. 
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In 5.2, noting that g p = A (mod P) and the structures of U and r, it is easy to 
see that the first congruence will hold. The second congruence holds similarly. 
To see that the congruences in 5.3 will hold, observe 

s (A<"-»/ 2 mod n) s B (h^~W mod p) = ^(^(modP). (4) 

The first congruence in (4) is due to Ord P (B) = p|n. Then, since p is prime, the 
second congruence in (4) follows from Euler's criterion. Therefore, the first congruence 
in 5.3 (for c — 1) is: 

B (h* mod n) = £(h u+ <*- , >/ 2 mod n) 

_ ^glhlr-W* mod n))(/i u mod n) 
_ ^(/i^ - '*' 3 mod p))(>i u mod n) 

— mod n))(|) 

= tf^(modP), 
while the second congruence in 5.3 (for c = 1) is, analogously, 

A (h* mod n) = H («) ( mod p). 

The exponents of the both right-hand sides must take opposite signs since Jacobi 
symbols only take values ±1 and h has been chosen to satisfy 



-> -(£)-(?)($) 



Therefore the congruences in 5.3 will hold. 
Finally, any h € Z* will satisfy 

= /i n+1 (modn). 

With (p - l)/2, (g - l)/2 and (n - l)/2 being whole numbers, it is easy to rewrite 
the above into 

h l(p-l)/2+( V -l)/2) = ( mo dn). 

Therefore the congruence in 5.4 will hold. D 
Soundness 

We now show that protocol Two-Prime-Product provides a Monte-Carlo method for 
testing the primality of the orders of A and B. We firstly note that all the numbers 
and variables to appear in this section are non-negative integers. In particular, log fl (/I) 
and log fl (B) denote some positive integers p and q less than Ord P (g) satisfying A = 
gP(mod P) and B = p"(mod P). 
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Lemma 1 Without the knowledge of the factorization of n, the element g fixed by 
Bob satisfies 

Pr[ Ordp(g) divides x } = x/n, 

for any x divides n. 

Proof Without the knowledge of the factorization of n : Bob's procedure for fixing 
g is via g = f^ p " l ^ n mod P using / which is chosen at random from Z* p (review 
Section 2.2). Then g n = l(modP) by Fermat's Theorem. In the cyclic group Z* p 
there are exactly n = £ d | n <£(<*) elements of orders dividing n. Only these elements 
can be the candidates for g. For the same reason, for any x \ n \ P- 1, there are exactly 
x = £ d | x elements in Zp of orders dividing x. The claimed probability is thus 
calculated as that of picking x objects from n. D 
Lemma 2 Denote Ord P {B) = x and Ord P (A) = y. Upon acceptance of a proof on 
running Two_Prime_Product( n,g, A,B,P ), Bob accepts that his random choice of h 
in the protocol run ((h,n) = 1 and = -lj satisfies 



fc [(tog,(B)-l)/2] _ T l( m0 dy) 



and Me probability for failing this does not exceed 1/2* where k is the number of 
iterations used in the protocol. 

Proof The first congruence in 5.2 shows that Alice knows both log g (U) (shown when 
c = 0) and \og g {UA) = \og g (U) + \og g {A) (shown when c = 1), and has added \og g (A) 
to the response whenever c = 1 is the case. Suppose Alice does not know log 9 (^4). 
Then in each iteration she can only answer Bob's random challenge with at most 1/2 
chance of correctness. Thus, after having verified k times of correct responses to his 
random challenges, Bob should agree that the probability for Alice not having used 
log Q (>l) in her response (when c = 1) is at most 1/2 



k 



The first congruence in 5.3 further shows that H v is generated from B with the 
use of an exponent which is in turn generated from Bob's randomly chosen challenge 
h. Since (h,n) = 1, {h r mod n, n) = 1. Therefore 

Ord P {Hu) = Ord P {B) = x. 

Clearly, the quantity \og g {A) in 2r + 1 (when c = 1) amounts to {\og g (A) - l)/2 in r. 
Therefore the first congruence in 5.3 shows that for h satisfying (/i,n) = 1: 

h l0o gg {A)-y)/2} _ ±1 (mod x)- 

Analogously we can use the second congruence in 5.3 to establish that for the 
same h 

7 l K»og,(B)-i)/2] = T i( mo dy). □ 
In the rest of this section we will continue denoting 

Ord P (B) = x, Ordp(A) = y. 
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Following the Solovay-Strassen primality test technique [17] we define the following 

set 

H x = { h € Z x | (/i,x) = 1, h n = ±1 (mod x), a constant }. (5) 

Clearly, this set is a subgroup of Z*. It is a variation of its counterpart used in 
the Solovay-Strassen primality test technique. There, H x is defined such that the 
exponent a is (x — l)/2. In our "test in the dark" method, the verifier Bob is not 
given the modulus x, let alone does he know the relation between the exponent and 
the modulus. All the information Bob has is that the modulus is a factor of n, and 
that the exponent is a constant. (The result of Lemma 2 stipulates the constant be 
0og,(i4)-l)/2.) 

Lemma 3 Let x, y and h be as in Lemma 2. Bob accepts that x and y are prime 
powers. The probability for failing this does not exceed 1/2*. 

Proof We prove the lemma by estimating the probability for x not being a prime 
power. A prime power can be written as p r with p prime and r > 1. Suppose x is not 
a prime power. Then let x = £77 with £ > 1, r\ > 1 and (£,77) = 1. 

Obviously, either H x is a proper subgroup of Z*, or H x = Z*. 

In the first case, #i/ x is at most half of #Z* (since the former must divide the 
latter), and thereby the probability for each h randomly picked from Z* to fall in H x 
cannot exceed 1/2, which amounts to 1/2* to bound the probability for k such h's to 
be so. 

Now we consider H x = Z*. We claim that H x will only contain elements satisfying 

h a = 1 (modx), (6) 

where a is the constant in (5). Suppose H x = Z* while (6) is not true for some element 
in H x . Let h be such an element. So h a = -1 (modx). Since f and 7? are relatively 
prime, by the Chinese remainder theorem, the system / = 1 (mod£), / — h (mod 77) 
has a solution / G Z* - Obviously, 

r = l(modO, / a = -l(modtj), 

yielding 

/ a ^ ±l(modx). 

So / e Z* \ H x , contradiction to H x = Z*. 

So now we must consider H x = Z* with all elements in H x satisfying (6). This 
implies that for k randomly cho s en h's with (h mod y, y) = 1, hP = -1 (mod?/) 
where 0 = (log fl (S) - l)/2. Let z be a prime factor of y. Then we will also have 
{hP mod z, z) = 1 and 

h p = -1 (modz). (7) 

Since z is prime, by Fermat's Theorem we know z — 1 | 2(3, i.e., 0 is a multiple of 
(z - l)/2. In Z* there are exactly half the elements which are quadratic non-residues 
satisfying (7) (none of other elements can satisfy it). So the probability for this 
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congruence to hold for k randomly chosen Zi's cannot exceed 1/2*. This value must 
also bound the probability for x not being a prime power. 

By symmetry, y is also a prime power. □ 
Lemma 4 Under the hypotheses of Lemma (x,y) = 1 ; and the probability for 
failing this does not exceed 1/2*. 

Proof Since x and y are both prime powers, if (x,y) > 1. we can assume without 
loss of generality that x = p r | y. Using the result of Lemma 2 we can derive 

=Fl = ^(mod y) = ^(mod x). 

At the same time we have 

h a = ±1 (modi). 

Thus, 

= _i ( mo d.r) = -1 (modp), 

for all k instances of randomly-picked h with (h,p) = 1. Since p is prime, the above 
is only possible if p — 1 divides 2|a — /3\ but not divides ja — So |a — (3\ is an odd 
multiple of (p — l)/2 which implies 

= _i( mo dp) (8) 

for all such h mod p. There are only half the elements in Z* which are quadratic 
non-residues satisfying (8). Therefore the probability for (8) to hold for k time, i.e., 
for A: random /i's with h mod p being quadratic non-residues will not exceed l/2 fc . 
Since the congruence in (8) is derived from the assumption (x,y) > 1, the value 1/2* 
also bounds the probability for.(x.y) > 1. □ 
Lemma 5 Under the hypotheses of Lemma 2, there exists integers a and b satisfying 

\og g (A) =ax< Sn 1 /^ l ogg (B) = by < Sri 1 ' 2 . 

Proof From the proof of Lemma 2 we know that A is generated from g. So its order 
y can only be reduced from Ordp(g) and thereby y | Ordp(g). We also know 

0 = log y (l) = \og 9 (Ay) = ylog g (A){modOrd P (g)). 

This means 

Ord P (g)\y]o Zg (A). (9) 

By symmetry, x \ Ordp(g) |xlog ff (B). Then xy | Ordp(g) since (x, y) = 1 (Lemma 4). 
Combining this with (9), we have x | \og g (A). By symmetry we can also derive 

Ord P (g)\x\og g (B), (10) 

and y | \og g (B). So we can write 

log 5 (A) = ax, log p (5) = by, 
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for some a and 6. 

In protocol step 5.1. Bob has checked that in both challenge cases, the responses 
r and 5 satisfy 

£(r) < [i{n)/2\ + 2. 
Since when the challenge is c = 1, e{\og g (A)) < i{2r + 1) = l(r) 4- 1, 

WoRgiA)) < Wn)/2J+3. 

This implies 

log p (A) < 2^ n VW <8n 1 ' 2 . 

By symmetry, by = \og g (B) < 871 1 / 2 . □ 

Now we can prove the soundness of our protocol. 
Theorem 2 Upon acceptance of a proof Two_Prime-Product( n, 5, A, B.P ) with 
n > 24 4 and odd, Bob accepts that \og g (A) and \og g (B) are distinct odd primes. The 
probability for failing this does not exceed max(l/2 A: , 24/n 1 / 4 ) where k is the number 
of iterations used in the proof. 

Proof We know x 7^ y since they are relatively prime to each other. Both are odd 
since both divide an odd number n. By symmetry, we only need to prove the case 
for x = \og g (A) to he a prime. We have already established ax = \og g (A) (Lemma 5) 
and x = p r with p being prime (Lemma 3). So to prove this theorem we need only 
to show a = r = 1. We shall establish the probability for Bob to accept the proof 
while assuming either r > 1, or a > 1. Using the method that we have used in the 
proof of Lemma 3, we shall reason that if any of these two cases is true, then either 
H x (defined in (5)) should be a proper subgroup of Z*, which will render 1/2* to 
bound the probability for Bob to accept a proof of k iterations, or another event of a 
negligibly small probability should has occurred. 
First, consider the case of r > 1. 

There exists h E Z* T of the full order (p — l)p r ~ l . This element cannot be in H x 
since otherwise the first congruence established in Lemma 2 will imply 

h a ? r - 1 = l(modp r ), 

which yields 

(p-l)p r - 1 |*P r -l- 

So there exists A satisfying 

ap T - \{p-\)p T ^ = 1. 

This means p 7 " 1 is relatively prime to p r , impossible with r > 1. So H x must be a 
proper subgroup of Z*. 

The remaining case is a > 1 and x prime. 
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There exists h € Z* of full order x - 1. If h is not in H x then H x is a proper 
subgroup and we have done. Now suppose h G H x . The first congruence in Lemma 2 
implies 

h ax ^ = 1 (raodi), 

which further implies x - l\ax - I = a{x - 1) + a - 1. So rr - 1 1 a — 1. This is only 
possible if x < a. Prom Lemma 5, ax < 811 1 / 2 . So x 2 < ax < 8n 1 / 2 , or x < 3n ] / 4 . 
Lemma 5 also requires log 5 (£) = by < Sn 1 * 2 . These yield 

x\og g {B) = xby < 24n 3/4 . 

So, this case of \og g {A) requires xby < 24n 3 / 4 . Prom (10), Ord P (g)\xby. Also, 
Ordp(g) I n. So Ordp(g) | {xby.n) < xby <n [n > 24 4 ). Now we can apply Lemma 1 
and obtain 

Pr[ Ordp(g) divides (xby,n) ] = {xby,ri)/n < xby/n < 24/n 1/4 . 

We have shown that if x is not a prime, on^ log 5 (>4) : then the probabilities for 
Bob to accept the proof are bounded by either 1/2*, or 24/n 1/4 , whichever is larger. 
The latter value bounds the probability for Bob to have chosen g of such a small 
order. a 
Remark In the proof of Theorem 2 and Lemma 3 we have used random elements in 
Z*. We should point out that in the protocol Bob only picks h at random from Z*, 
rather than from Z*. since he does not know the factorization of n. Also h is chosen 
to have the negative Jacobi symbol mod n. However, the mapping from such h in Z* 
to h mod x in Z* is onto (the mapping is accomplished by the double exponentiations 
checked in protocol step 5.3) and thereby results in uniformly distributed elements in 

Theorem 3 Under the hypotheses of Theorem 2, n = \og g (A) \og g {B), and the 
probability for failing this does not exceed max(l/2 fc , 8/n 1 / 4 ). 

Proof In Theorem 2 we have proved \og g {A)\og g (B) = xy = Ordp(g) \ n where x 
and y are distinct primes. Suppose n = xyz for some integer z. We prove the theorem 
by estimating the probability for z > 1. 

The congruence checked in protocol step 5.4 implies that each h that Bob chooses 
at random satisfies 

Ord Tl (h)\n~x-y + l (11) 
Define the following set as a subgroup of Z*: 

ff={fc€Z;| fttn-x-y+l) = ! (modn) }. 

Since x. y are distinct primes, there exists h G Z* of order max(.x — 1, y - 1). If h & H 
then if is a proper subgroup of Z* and #/f cannot exceed the half of #Z*. Thus, 
the probability for choosing A; random elements from Z* which also fall in H (to pass 
the congruence in step 5.4) will not exceed 1/2*. 



23 



WO 00/48359 





PCT/GBOO/00370 



Now suppose h € H. Without loss of generality, let x — 1 > y — 1. Then from (11) 
we can derive 



This is only possible if x < z. Given y < &n 1 / 2 , the maximum possible value for 
Ordp(g) = xy ~ n/z can only be resulted from the maximum possible value of x = z, 
which renders 

Ord P {g) =xy< 8n 3/4 . 

Applying Lemma 1 we know that the probability for Bob having chosen g of such a 

small order does not exceed 8/n 1 ' 4 . 

Thus, we can use max(l/2*, 8/n 1 / 4 ) to bound the probability for z > 1. □ 
To this end we know that the two primes factors of n have roughly equal size since 



As a concluding remark for our soundness analysis, we emphasize the importance 
of verifying the congruences in the protocol step 5.3. Besides their roles in the sound- 
ness proof that we have seen, they also exclude x and y from being certain pseudo- 
primes such as Carmichael numbers (see e.g., p. 137 of [13]). Moreover, they prevent 
x and y from being methodically chosen in a cheating way that can pass a (flawed) 
protocol in [12] for proof of a required format for RSA moduli. (The required format 
is the same as what our protocol proves: n is the product of exactly two primes of 
roughly equal size.) That protocol first applies a square-root displaying protocol to 
prove that n is the product of two prime powers ([12] suggests to use the method of [9] 
for proof of Blum integers; we will discuss more on square-root displaying protocols 
in Section 4), and then verifies 



(equivalent to the congruence checked in our protocol step 5.4), plus checking the 
sizes of x and y. Below we reason that such verification does not suffice for proving 
the required format of n. 

Let n = xy with x, y being odd. It is easy to see that, as long as A(n) (Carmichael 
function of n, which is the lowest order of all elements in Z*) divides (x — l)(y — 1)/2 = 
(n - l)/2 - [(x - 1) + (y — l)]/2, the congruence above will always pass. Alice can 
thus cheat as follows. She sets x = p T with p prime and r > 1 such that y = 2p r_1 + 1 
is prime and i{x) ^ £{y). There are sufficiently many primes p such that 2p r ~ x + 1 
is also prime. So it will be easy for Alice to find p and y to satisfy what is required. 
Clearly, n is the product of two prime powers, and will therefore pass a Blum integer 
proof based on displaying square roots of challenges. The size checking on x and y 
will pass too. Moreover, 



x - 1 = Ordn(h)\z- 1- 



\og g {A) < 8H 1 ' 2 , \og g {B) < Sn 1 / 2 . 



/i x ^ = /i n+1 (mod n) 



(x - l)(y - 1) = & - l)2p r - } = (p- l)(...)2p 1 
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and 

A(n) = \cm(<f>{x), 0(y)) = lcm((p - l)p r -' , 2p r " 1 ) = (p - IK" 1 . 
So it always holds 

A(n)|(x-l)(j,-l)/2. 

Consequently, verification using /r E+y = /i n+1 (raodn) will pass for all h € Z*. But 
n is not the product of exactly two primes, and the sizes of its prime factors are not 
roughly equal (£(p) a £(y)/r). 

Privacy 

In addition to n Alice has also made available the following two constants: 

(A,B) = (<f,g'){mod P). 

Were these two constants not available, the prime factors of n are protected by 
the factorization problem. On the other hand, were n not available, given the two 
constants (A,B) to find (p. q) one faces the discrete logarithm problem. Our privacy 
analysis shall nevertheless identify whether finding p and q will still remain a hard 
problem given the availability of both n and (A. B). Clearly, we can no longer consider 
the problem to be those of pure factorization or pure discrete logarithm. 

To identify the exact difficulty for finding p, q from n and (A,B), suppose there 
exists an efficient algorithm A such that with input (<?, A.B^n) it will output p and 
q in time bounded by a polynomial in the size of n. We should keep in mind that A 
works because the input values are related by 

n = \og g (A)\og g (B)(modn). (12) 

Were the input values not related in any way then because to date there exists no 
polynomial-time algorithms to factor integers or to compute discrete logarithms, A 
should not have output log^^l), ]og g {B) in time bounded by any polynomial in the 
size of n. 

For any z with {z,n) — 1, (12) is equivalent to 

n = [z\og g (A)}[z- 1 \o Kg (B)] = log^Hog^B*" 1 ) (modn). 

So with input (g, A z , B z ~' , n) A should output \og g (A 2 ) and \og g (B 2 ~*) in time 
bounded by a polynomial in the size of n. 

Further notice that for any z < q, A 1 = A z (modP) forms a permutation in the 
subgroup generated by A. Analogously for any z* < p, B' = B z (modP) forms 
a permutation in the subgroup generated by 5. Thus, given an arbitrary quadruple 
(<7, A', B 9 , 1), A forms a decision procedure to answer whether (<?, A', B', 1) is a member 
of the Diffie-Hellman quadruples generated by g. 
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Theorem 4 Under the assumptions that factorization of n and computing discrete 
logarithms to the base g are infeasible, finding p } q, from the constants A,B and the 
modulus n is at least as difficult as solving a decision problem on the membership of 
the Diffie-Hellman quadruples generated by g. □ 
This membership decision problem is often referred to as Decision-Diffie-Hellman 
Problem ([15, 18]) and is widely regarded hard. 
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Performance 

The operations in the protocol mainly involve exponentiations modulo big integers and 
evaluation of Jacobi symbols. Because the cost of the latter is trivial in comparison to that 
of the former, we shall focus our attention of estimating the cost of modulo 
exponentiations. 

We shall not consider the cost for Alice to generate n and the related prime 
P — 2an + 1 since these procedures are purely local to Alice (while a protocol involves 
communications). She can prepare these two numbers well in advance before running the 
protocol. However, the cost to Bob of testing the primality of P should be included in the 
cost for him to run the protocol. 

Testing the primality of P using a Monte-Carlo method needs k testing iterations to 
achieve 1/2* error probability (using k the same as that in the protocol to equalize the error 
probability). Each iteration mainly involves exponentiation mod P so for this part, Bob 
performs k exponentiations mod P. 

In the proof protocol, in each iteration Alice computes four exponentiations mod P 
and two of them mod n. Bob performs slightly more: four of them mod P and on average 
2.5 of them mod n (2 for c = 0 and 3 for c = 1). Thus, with a proof of k iterations, Alice 
computes 4k exponentiations mod P and 2k of them mod n. For Bob's part adding the cost 
of testing the primality of P, he should perform in total 5k exponentiations mod P and 2.5 
of them mod n. 

Notice the fact that P = 2an + 1 where a is small (at the level of ln(2w In «), see 
Section 3.2). We have 



This means that the size of P may exceed that of n by only a few bits (for instance for any n 
of size less than 1 0,000 bits, log 2 [2 ln(2w In n)] < 5, which is less than two percent of the 
size of «). Since the previous equation renders that the growth of the size difference 
between the two moduli is much slower than that of the moduli, we can claim that for n any 
size larger than 512 bits (recommended least size for today), the size of P will not exceed 
that of n by two percent (of the size of n), namely 



log 2 P - log 2 n « log 2 [2 ln(2« In n)] 



logj/^ 1-02 log 2 *. 
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Since in bit operation, the cost for exponentiation mod P is measured in 0((log 2 Pf J, i.e., 
C(log 2 Pf for some constant C, we can use the following to relate the cost of 
exponentiation mod P to that mod n (of any size larger than 512 bits): 

(log 2 Pf < (l.021og 2 nf « 1.062(log 2 nf 
That is, the cost of one exponentiation mod P will not exceed that of one mod n by seven 
percent. We nevertheless use a ten percent expansion and convert Bob's workload of 5k 
exponentiations mod P into 5.5k exponentiations mod n. So in total Bob will need to 
compute no more than Ik of them. Since on average an exponentiation mod n amunts to 
1.51og 2 w multiplications mod w, the total cost to Bob for running the protocol will be 
12£log 2 w multiplications of integer of size n. We can also use this quantity to bound 
Alice's cost of running the protocol. 

For n of size larger than 512 bits, the computational cost of proving and verifying 
that n is the product of two primes of roughly equal size using protocol 
Two_Prime_Product is \2k\o% 2 n multiplications of integer of size of n. Both parties should 
perform this number of operations. 

Considering the fact that a Monte-Carlo primality test on non-secret number mainly 
involves modulo exponentiation, Bob's verification cost is equal to eight such tests on non- 
secret numbers of size n. 

We have constructed an efficient knowledge proof protocol for demonstrating an 
integer being the product of two prime factors of roughly equal size. The new protocol is 
the first of its kind that proves such a structure with efficiency comparable to that of a 
Monte-Carlo method for primality evidence "in the dark". 

Previous techniques for proving such a structure have a much higher cost for non- 
Blum integers (as will be discussed below). The improved efficiency for reasoning about 
non-Blum integers due to this work manifests a particular suitability for using the proposed 
protocol in the proof of valid RSA keys which are generated at uniformly random (e.g., for 
the protocol of Blackburn and Galbraith (S.R. Blackburn and S.D. Galbraith. Certification 
of secure RSA keys, University of Waterloo Centre for Applied Cryptographic Research, 
Technical Report CORR 90-44, Avalailable from http : / /www . cacr . math . 
uwaterloo.ca/1] ) . 
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The cost of a proof amounts to 12fclog 2 w multiplications of integers of size of n 
where k is the number of the iterations in the proof and relates to an error probability 
bounded by max(l/2*, 24/n UA ). This is the first protocol that proves the two-prime-product 
structure of a number with the cost at the level of 0(k\og 2 n) multiplications and the error 
probability at the level of 1/2* (considering k = 60, and n > 2 512 , 1/2* » 2AIn m ) regardless 
of whether the number in question is a Blum integer [M. Blum. Coin flipping by 
telephone: a protocol for solving impossible problems, Proceedings of 24 th IEEE 
Computer Conference (CompCon), 1982, pp. 133-137]. 
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CLAIMS 



1. 



A method of exchanging digital public-key verification data whereby a first party 



enables a second party to obtain probabilistic evidence that a given public-key number n is 
the product of exactly two odd primes p and q , not know to the second party, whose bit 
lengths (£(p), £(q) ) differ by not more than d bits; the method including the following 
steps, all operations being to mod P unless specified mod n, the method being halted 
should any check fail; 

a) said first party provides to said second party a number P such that P is a prime 
number and n\(P - 1); 

b) said second party provides to said first party a number g where 
g = f< p -w*modP 9 f<P\ 

c) said first party provides to said second party numbers A and B, where 
A = g p modP and B = g q modP ; 

d) said second party checks that A * B, A * 1 and 2? * 1 ; whereupon the following 
steps are repeated up to k times; 

e) said second party selects a random number h e Z* such that (■£)= -1 and 
provides the number h to the first party; 

f) said first party checks that (■£)= -1 and selects two random numbers u and v such 
that £(u) = £((p - 1)/ 2), £(v) = £((q - 1) 12) and provides to said second party the values 



and H uv = h U h v mod 72 ; 

g) said second party sends a request to the first party that the first party provides to 
the second party values r and s, which the second party randomly specifies should be 
either: 

(1) r =u and s = v; or 

(2) r = u+(p- l)/2, s = v+{q - l)/2 

h) said first party provides the requested values r and s to the second party, 



U-g 2 ", V = g* 



v Jj =B (h u modn) _^(h v modn) 
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i) if the second party requested r =u and s = v, the second party determines 
whether: 

(1) £(r)<|^(7i)/2j+</, e(s)<l£(n)/2]+d 9 

■ D \h r mod/i) _ tt A\h s mod«) _ tt 

(3) # v ' = ti u A K — id y 

(4) h r h s = H uv (mod n) . 

thereby verifying the values provided by the first party to the second party are as were 
required by steps a) to f); or, if the second party requested 
r = u +(p _ i)/2, s = v+{q -l)/2, the second party determines whether: 
(1) e(r)<l£(n)/2]+d 9 £(s)<[l(ri)I2\+d , 

r>(h r modn) _ tt ±1 Ah s modw) _ rr +1 

(3) x3 — iljj ? SI — i±y ( ± an d + meaning 

the two exponents are of opposite sign), and 

(4) h r h 5 =/f^/* ( "- 1)/2 (mod>!), 

thereby obtaining said probabilistic evidence on whether the given public-key number n is 
the product of exactly two odd primes p and q whose bit lengths ( £{p) y £{q) ) differ by not 

more than d bits. 

2. A method as claimed in claim 1 in which d < 2 . 

3. A method as claimed in claim 1 in which at least one of the selections of random 
numbers or choice of r and s is uniformly distributed. 

4. A computing entity comprising: 
a data processing equipment 

a memory; and 

a communications equipment, 

said data processing equipment being configured so as to be capable of processing 

data according to a set of instructions stored in said memory; 

said communications equipment configured so as to communicate data according to 
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said set of instructions such that the computing entity is configured to 

a) receive from another computing entity a number P such that P is a prime number 
and/i|(P-l); 

b) provide to said other computing entity a number g where g = f iP ~ l)/n modP , 

/</>; 

c) receive from said other computing entity numbers A and B, where A- g p modi* 
and B = g q modP \ 

d) check that A* B,A* land i? * 1 , and, if correct, repeat up to k times; 

e) select a random number h e Z* such that = -1 and 
provide the number h to said other computing entity; 

f) receive from said other computing U = V — gr v , H v = B^ modn ), 

H y = A^ h modn ) 9 and Hyy = A u /i v mod/i entity were u and v are two random numbers such 
that 4(ii) = *((p-l)/2), /(v) = *«*-l)/2; 

g) request the other computing entity to provide values r and s, randomly specified 
to be either: 

(1) r =u and 5 = v; or 

(2) r = u +(p - l)/2, 5 = v+(<? - l)/2; 

h) receive the requested values r and s from the other computing entity, 

i) if r =u and s = v was requested, determine whether: 

(1) t(r)*lm/2]+d 9 t(s)£lm/2]+d 9 

(2) g 2r+l =Ug, g 2s + l =Vg 9 

T> {h r mod n ) _ tt a {h s mod n ) _ tt 

o) n - 11 u , A — n y 

and 

(4) h r h s = H uv (mod n) . 

thereby verifying the values provided by the other computing entity are as were 
required by steps a) to i); or , if r = u +(p - l)/2, s = v+(? -l)/2 was requested, 
determine whether: 

(1) t{r)<\t{n)I2\+d y t(s)*l£(n)/2j+d 9 
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(2) g 2 ' +1 =UA, g^^VB, 

nih r modn) _ rr ±1 modn) u T1 _ 

(3) xJ v ' = I2 U , ^ ' = n v (±and+ meaning the two 

exponents are of opposite sign), and 

(4) /* r /2* s (w " 1)/2 (modn) 

thereby obtaining said probablistic evidence on whether the given public-key number n is 
the product of exactly two odd primes p and q whose bit lengths (t(p\ £(q) ) differ by not 
more than d bits. 

5. A method as claimed in claim 4 in which d < 2 . 

6. A method as claimed in claim 4 in which at least one of the selections of random 
numbers or choice of r and s is uniformly distributed. 

7. A computing entity comprising: 
a data processing equipment 

a memory; and 

a communications equipment, 

said data processing equipment being configured so as to be capable of processing 
data according to a set of instructions stored in said memory; 

said communications equipment configured so as to communicate data according to said 
set of 

instructions such that the computing entity is configured to: 

a) provide to another computing entity a number P such that P is a prime 
number and n\(P - 1); 

b) receive from the other computing entity a number g where g = / (P_l)/n modP , 

f<P\ 

c) provide to said other computing entity numbers A and B, where A = g p modP 
and B = g q modP; 

d) receive from said other computing entity a random number h € Z* such that 
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e) check that and, if so, select two random nximbers « and v such that 
£(u) = ^((/? - 1) / 2), ^(v) = ^((^ - 1) / 2) and provide to said other computing entity the 

ZJ _ n(h u modn) „ _ A (h v modn) 
values £/ = g^, V = g\ ~ n , ~ ^ and 

i/^r = h u h v modn ; 

f) receive from said other computing entity a request to provide to said other 
computing entity values r and s, which said other computing entity randomly specifies 
should be either: 

(1) r =w and s = v; or 

(2) r = u +0 - l)/2, 5 - v+(q - l)/2 

g) provide the requested values r and s to said other computing entity. 

8. A method as claimed in claim 7 in which d < 2 . 

9. A method as claimed in claim 7 in which at least one of the selections of random 
numbers uniformly distributed. 

10. A system of co-operating computer entities including a first computing entity as 
claimed in claim 4 and a second computing entity as claimed in claim 7. 

1 1 . A communication system comprising at least a pair of computing entities as claimed in 
claim 10 and a communications medium, each of said pair of computing entities being 
arranged to communicate with the other computing entity via the communications medium. 

12. A communication system as claimed in claim 1 1 in which said communications 
medium includes one or more of any of the internet, local area network, wide area network, 
virtual private circuit or public telecommunications network. 

13. A computer storage medium having stored thereon a computer program readable by a 
general purpose computer, the computer program including instructions for said general 
purpose computer to configure it to be as said computer entity as claimed in claim 4 or said 
computer entity as claimed in claim 7. 

14. A method of exchanging digital public-key verification data, a computing entity, a 
communications system, a system of cooperating computing entities or a computer storage 
medium substantially as hereinbefore described with reference to the accompanying 
drawings. 
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